Predictable Identifier Vulnerability in Fiber Web Framework by GoFiber
CVE-2025-66630

9.2CRITICAL

Key Information:

Vendor

Gofiber

Status
Fiber
Vendor
CVE Published:
9 February 2026

What is CVE-2025-66630?

The Fiber web framework, which is inspired by Express and written in Go, has a vulnerability affecting versions prior to 2.52.11. This issue arises from the crypto/rand implementation on Go versions earlier than 1.24, where secure randomness may not be reliably achieved. As a result, the UUID functions in Fiber v2 do not signal failures, causing application developers to potentially use predictable, repeated, or low-entropy identifiers in critical security contexts. This can lead to security flaws across various middleware components such as session management, CSRF protection, rate limiting, and request-ID generation that leverage the UUID functionality. The vulnerability has been addressed in version 2.52.11.

Affected Version(s)

fiber < 2.52.11

References

https://github.com/gofiber/fiber/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/gofiber/fiber/commit/eb874b6f6c5896b96...
x_refsource_MISC
https://github.com/gofiber/fiber/releases/tag/v2.52.11
x_refsource_MISC

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.